Access EWA from Internet how secure? what options

[pippya]

Hi

what is the most secure/practical way to use EWA from the internet?

I only ever use EWA, as the machine is headless in a spare room.

for starters, I believe there are 3 options:

1. VPN in to your local lan (I use this method currently, works well with cisco pix, I can stream but need a fast connection, impractical due to needing a cisco client)

2. Port Forwarding from your router, use a high port number, I presume you change the defaults 7647 and 7648? How secure is winxp in this instance? whats the likelihood of someone compromising the machine to gain access to your network? as its not ssl username and password can be read with sniffers? Assume firewall is on and password is enabled to EWA - this works for me also, have disabled port forwarding till outcome of this discussion

3. Use a webserver eg IIS virtual directory, have read the previous discussions, had access permission errors will try again later, This would be my preferred, as I could connect to my IIS webserver via ssl and connect to gbpvr from there. No snooping of username and passwords.

please let me know your thoughts

[psycik]

Hi

what is the most secure/practical way to use EWA from the internet?

I only ever use EWA, as the machine is headless in a spare room.

for starters, I believe there are 3 options:

1. VPN in to your local lan (I use this method currently, works well with cisco pix, I can stream but need a fast connection, impractical due to needing a cisco client)

A similar method, a little more lightweight is run an SSH server at home, Then using putty to connect to that ssh server (put the ssh on its default 22 or port 443) then using putty tunneling to access EWA.

So where I am http://localhost:7647/gbpvr tunnels to http://balrog/7647/gbpvr on my home network.

2. Port Forwarding from your router, use a high port number, I presume you change the defaults 7647 and 7648? How secure is winxp in this instance? whats the likelihood of someone compromising the machine to gain access to your network? as its not ssl username and password can be read with sniffers? Assume firewall is on and password is enabled to EWA - this works for me also, have disabled port forwarding till outcome of this discussion

This is also quite a good one especially if only the one port. Not sure how secure the authentication page is, like is it clear text etc but I do this one as well when I'm out with no putty client (ie cellphone access)

3. Use a webserver eg IIS virtual directory, have read the previous discussions, had access permission errors will try again later, This would be my preferred, as I could connect to my IIS webserver via ssl and connect to gbpvr from there. No snooping of username and passwords.

please let me know your thoughts

I think people have had success with IIS, for doing this you'd be tempted to remove the login page, and use native SSL and windows authentication to login.

[UncleJohnsBand]

Hi
2. Port Forwarding from your router, use a high port number, I presume you change the defaults 7647 and 7648? How secure is winxp in this instance? whats the likelihood of someone compromising the machine to gain access to your network? as its not ssl username and password can be read with sniffers? Assume firewall is on and password is enabled to EWA - this works for me also, have disabled port forwarding till outcome of this discussion

This is also quite a good one especially if only the one port. Not sure how secure the authentication page is, like is it clear text etc but I do this one as well when I'm out with no putty client (ie cellphone access)

As an FYI....the id and password exchange is secure....your user id and password that are entered are encrypted on the client machine using a "salt" and the server side reads the posted id and password decoding using the "salt" and the result is compared to what is stored in the GBPVR config.

[pippya]

thanks UJB,
UJB and Sub it would be useful if a best security practice for EWA was included in the documentation, this could include how to lock down winxp, ie firewall settings, best practice for accessing it from the internet and how to protect the machine from being compromised and so on....
what do you think?
thanks phillip

[hakras]

It's funny that I just found this thread. I opened up this traffic to my network today. I forwarded the port on my DSL wireless router/firewall to the firewall/router/proxy to my internal network. Then I did a DNAT to my GBPVR server. Everything seems to be working fine. I need to go back in and lockdown/restrict a bit more. Probably do a port translation. I tested it from the wireless network (between the 2 firewalls - my little DMZ) and from the internet.

I forgot all about port 7648 :eek:

I need that port opened for streaming. Right? Guess I'll be adding more rules. Does port 7648 only need to outgoing from the server?

[UncleJohnsBand]

I need that port opened for streaming. Right? Guess I'll be adding more rules. Does port 7648 only need to outgoing from the server?

7647 is for the main EWA interface (configurable in GBPVR).

7648 is for streaming (Configurable in Streamer pop-up).

If you want to use enclosures in the RSS feed you can setup HFS to send the enclosures and you will need to open up the port you setup for that. Instructions for RSS & enclosures on wiki.

[hakras]

I can't open the media stream. I get this:

Code:

Your input can't be opened:
VLC is unable to open the MRL 'http://firewallIP:7648'. Check the log for details.

I'm guessing that it has something to do with the firewall configuration. I opened the port on the server firewall. I'll try from an internal PC to verify.

[hakras]

I got it working. User error. I copied my DNAT rule and changed the destination, but forgot to change the source port. All is good now

[hakras]

I do have a minor issue. What I go to Video Library and select a movie, the folder art is cut. I only see the top 25% of the art.

[UncleJohnsBand]

I do have a minor issue. What I go to Video Library and select a movie, the folder art is cut. I only see the top 25% of the art.

What extensions are you using in your folder art?